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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re Patent Application of 

Jean-Sebastien CORON et al 

Application No. : 09/763 , 158 

Filed: February 16, 2001 

For: METHOD FOR TESTING A 

RANDOM NUMBER SOURCE AND 
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Group Art Unit: Unassigned 
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SECOND PRELIMINARY AMENDMENT 



Assistant Commissioner for Patents 
Washington, D.C. 20231 

Sir: 



Kindly amend the above-identified application as follows: 



IN THE SPECIFICATION : 

Page 1, delete the paragraph immediately following the title (which was added in the 
Preliminary Amendment filed February 16, 2001), and replace it with the following: 

-This disclosure is based upon, and claims priority from, French Application No. 
98/10592 and International Application No. PCT/FR99/01996, published by the 
International Bureau on February 24, 2000 in a language other than English, the contents of 
which are incorporated herein by reference.-- 
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REMARKS 

The foregoing amendment is being made to comply with the new provisions of 37 
C.F.R. §1. 78(a)(2). 

Respectfully submitted, 



Burns, Doane, Swecker& Mathis, L.L.P. 




James A. LaBarre 
Registration No. 28,632 



P.O. Box 1404 

Alexandria, Virginia 22313-1404 
(703) 836-6620 



Date: April 3, 2001 
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Attorney's Docket No. 032326-123 

Page 1 

Attachment to Second Preliminary Amendment dated April 3, 2001 

Marked-up Copy 

Page 1, Paragraph Beginning immediately following the title: 

-This disclosure is based upon, and claims priority from, French Application No. 
98/10592 and International Application No. PCT/FR99/01996, published by the 
International Bureau on February 24. 2000 in a language o ther than English, the contents of 
which are incorporated herein by reference.— 
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ME1?HQ.D JEQ&^gggl NG A RANDOM NUMBER SOURgE^D_ 
E3+^^ ^ 

The invention relates to a. method for tasting 
sources generating random numbers/ in particular 
sources developed in the context of cryptographic 
sy3tems such as the random number generators 
incorporated in chip cards. 

It is particularly designed to be used in the 
testing and validation of electronic devices such as 
chip caddis , PCMCIA^ , badges / 4 contact less cards or any 
other portable apparatus . 

The majority of cryptography systems of the public 
key type (also referred to as asymmetric cryptography) 
and secret key type (also referred to symmetrical 
cryptography) require the drawing of secret random 
values, It is, essential that such random values, or 
numbers , designed to serve a^ keys subsequently, should 
3 priori be unpredictable ^nd 3hould not exhibit any 
regularities making it possible to find them by 
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strategies of exhaustive or enhanced exhaustive gearah, 
in which the most probable keys are sought first. 

In this regard, there are several methods, for 
testing the random values generated by a random source 
5 and-^to ensure tb^t the said source functions correctly 
and does not exhibit any drift following changes in 
external parameters * of malevolent origin, such as 
alteration by induced radiation. 

Bach of these methods applies to a series, also 
10 referred to as a sequence, of integer numbers between 0 
and a value d, the said series being generated by the 
\J random pourcs . 

rj The most widely known test method is the so-called 

M, "frequency" test. It is a> case of counting the number 

of appearances of each integer between 0 and a value d 
5 in the said sequence- The number of appearances of 

hf each integer is then evaluated statistically, 

p A second so-called ll serieg" test method consists 

j| in a counting and statistical evaluation of the number 

y20 of appearances of all the possible pairs o£ integers 

between 0 and a value d. This test method can be 

broadened), to the counting of triplets or quadruplets of 

integers, etc. 

A third so-called .*hole" test method exists. A 
25 hole in a sequence is a series of numbers outside a 

predetermined interval* It' is a case of a statistical 

evaluation of the length of the said holes in the 

sequence, 

A fourth test method/ known as the *poker'' test, 
30 exist. The test consists in grouping together the 



manors in the sequence in groups of five numbers and 
counting in each quintuplet how many different valuea 
appear. 

X fifth test method, known as the ^collection of 
coupons", consists of statistically evaluating the 
sequence size necessary for all the integer values 
between 0 and d to appear in the said sequence. 

The details of these methods are found in the work 
by Knuth, entitled "The Art of Compute* Programming, 
Vol . 2 , Seminumerical Algorithms" . ^ , 

Another popular test method is Maurer's universal 
test described in the work * Journal of Cryptography", 
Vol. 5, N° 2, 1992, pp 89-105. 'This test has the 
advantage of revealing all the faults detectable by the 
test methods previously cited as well as other 
statistical defeats not detected by these same test 
methods . 

The so-called Kaurer test method, also referred to 
as the universal method, comprises the following steps: 

Step one: Generation of a sequence of (Q+*0 *L 
bits by the random source. Q, K and L are input 
parameters. The bits . in the sequence are grouped in 
blocks of L bits, forming a sequence of integers 
between 0 and of length Q+K. The length is stored 

in the table block [n], where n is between 1 and Q+K. 

Step two: Calculating the 'test parameter, denoted 
fTtJ; this second Step comprising the following steps, 
referred to as substeps 2.1 to 2.5s 

2,1 Creation and initialisation of a table tab [i] 

of si^e 2 h i 



2.2 For n varying from 1 to q, making the 
calculation : tab [block [n] ] -n; 

2.3 Initialising the number Sura to 0; 

2.4 For n varying from Q+l to Q+K, performing the 
calculation: 

£44 log(n-tab [block [n] 3 to Sum; 

Make the calculation: tab [block In] ] ^n; 

2.5 The parameter fTU of the test is given by? 
fTU-(Sum/K)/tog(2) ; 

Step three: Calculation of the variance per teat 
parameter block, denoted Var- Its precise expression 
ie given in the article published by Maurer in the work 
* Journal of Cryptography'', Vol 5, N° 2, 1992, pp. 89- 
105^ which is: 

m an 

Var - a - 20 * 2 log 2tt)**z*-4 - < (1 - s) * £ log 2(i) * 

with log2 (s) =log(s) /log (2) and z=l-2" 11 

Step four: Calculation of the function c(L r K). 
An approxiinate expression of this function is given in 
the article in the abovementiojaed work, which is; 

C (L, K) =0.7-0. 8/L+ (1 . 6+12 . 8/L) *K (-4/L) ; 

Step five; Calculation of the standard deviation 
of the test parameter, denoted a; o=c (L.K) *V(Var/K) ; 

Step six: Calculation of the parameter y; y is 
determined from the rejection rate of the test fixed as 
an Input, denoted p« Y must satisfy the equation.- 

N is the normal .density function described in the 
work by R. Langley; "Practical Statistics", Dover 
publications, New York/ 1968, The equation isr(-y)«p can 
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be resolved using a table of values of Bf. Such a table 
is supplied in the abovementioned article. 

Step seven: Calculation of the ideal mean value 
of the teat, denoted B[fTUJ. Its egression is given 
S in ^fche article published by Maurer in the work * Journal 
of Orbitography" , vol 5 r N° 2, 1952, pp. 39-105, and is 
equal to: 

aCTUl « (1 - z> * J'log2(i) * zi-i 

i = l 

with log2 (2) =log (z) /log (2) and 2=I-2 _X4 

Step eight: Calculation of the 'hounds tl and t2. 

N They are given by the equation: tl«H [fTUJ -y*c and 

[y t2=Ht(Tnj+y*cr. 

fZ - Step niner Result of the tept. 

Qi If the test parameter £TU is between tl and t2 f 

^15 then the random number generator is accepted. In the 
|ji contrary case, it ie refused. 

^ Tha universal test method is therefore baaed on an 

Q approximation in the calculation of the function 

c{L,K), This approximation makes the test less precise 
20 than is wished by the theoretical guarantee serving as 
a basis for it, It io possible to show that, in 
certain cases, the universal test proves to be 2. €7 
times too permissive compared with what is allowed by 
theory. 

25 The object of the present invention is an improved 

test method for achieving the real precision guaranteed 
by the theoretical analysis of the universal test. 
This test serves notably to improve the security of 
portable devices of the chip card type. 



The method of the invention consists in replacing 
step 4 of the universal test by the precise calculation 
of the function c(L,K). This calculation is based on a 
probabilistic analysis of the universal test. 

The present invention gives three distinct 
expressions of the function c(L,K), according to the 
values of the parameters L and K, 

The first expression of c(L,K) is valid whatever 
the parameters L and K. 

The second expression of a(L,K) is valid, in the 
case where the' value L is between 3 and 16 and the 
value K is greater than 30*2^, which corresponds to the 
most usual case of use of the test . It ±3 much more 
simple to calculate than the first expression and aan 
therefore be effected on a simple microcontroller in a 
few milliseconds - 

The third expression of c (L r K) is valid for a 
value of L>16 and a value of K>3 0*2 L . This expression 
is even more simple to calculate . 

The first expression of c(L,K) can be obnained by 
means of the method described below, which contains 
nine steps : 

1. Calculation of: U=1-2~ L and v=l-l/ (2 L -1) ; 
14 and v being real numbers; 

2. Creation of two tables tabl and tab2 of aiz& 

60*2*/ 

3. Filling of tabl and tab2: for .this purpose, 
3,1 Execute s^u, sum-0, asl^l; 



3,2 For i ranging from X to 3 0*2*, repeating the - 
two operations which are: add log2 (i) *2l to sum, in 
which log2 designates the logarithm to base 2, and 

calculate i sl=sl*z ; 
; 3.3 -Execute tabl [0] =■ (1-z) *sum; 

3-4 For i ranging £rom 1 to 60*2^, 

Execute tab! [i] = (tabl [i-l] - *log2 (i) )/z; 

3,5 Repeat steps 3,1, 3.2, 3.3, 3.4/ replacing u 
•with v and tabl with tab2? 

4, Calculation of the variance per block - denoted 

Var ; 

4.1 Execute aum-0 arid x*l; 

4.2 For i varying from 1 to 3 0*2*, execute the 
following two operations: 

Add log2(i) 3 *x to sum and 
Execute x=x* z ; 

4.3 Wake Var=Bum/2 j:, »tabll0j 3 ; 

5, Calculation of p(K); 

5.1 Make surn^G and x=l; 

5.2 For i varying from 1 to 30*2*: carry out the 
following three operations; 

Calculate y;yp=u 2 * (tab2 [i+K»l] -tabl [i+K] ) * (tab2 [0] - 
v l *tab2 [i] ) +u*tabl Eo J * (tabl [i+K-lJ -tab2 [i+K-i] ) , 
Add y*x to sum/ 
Execute x=x*u f - 

5.3 Execute p(K) ^u^" 3 "* *eum; 
€, Calculation of PCD : 

Same method as at step 5, replacing K with 1/ 

7 . Calculation of Q (K) : 

7.1 Majce 61101=0, sum2=0 and x=l, 
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7.2 For i varying from 1 to 30*2 hi 
Add i*log2(i)*U (i ' 2) to sum2; 

Execute the following three operations: 

Calculate y=u 2 * (tai>2 [i+K-l] - 
tabili+K] ) * ( (i+W *tap2 [0] -v**tab2 [i] ) -2 ( - u *aum3> +u* (i+K- 
1) *t'abl [03 * (tajal [i+K-U -tafc.2 [i+K=l] ) , 

Add y*x to sum, \ 

Execute x=x*u; 

7.3 EJXeoute Q (K) =U CK " 11 *SUIH 

8. Calculation of Q(D 

Same method as at step 7, replacing K with 1 

9. Calculation, of c(L,K) 

c (Ii, K> (X-a/Var* (P (1) -P (K) - (Q (D -Q (K) ) /K) 

The second expression of e(L,K) is valid for 

K>30*2 1 '. It is calculated according to the following 

method in. two steps : 

Step one: Reading of fche values of e (L) and dCU) , 

e and d being real values, listed in the following 

table, for L between 3 and 16; 







e(L) 


3 


0.2732725 


0 . 4890883 


4 


0. 30453-01 


0.4435381 




0,3295587 


0- P 4137l96 


6 


0.3489769 


0.3941338 


7 


0,3631815 


0.3813210 


6 


0.3732189 


0 -373019S 


a 


0.3800637 


0.3677118 




Q.3S458S7 


0 ,3643595 


11 


0.3874542 


0.3622979 
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12 0.3893189 0.3610336 

13 Q. 3904405 0.3602731 

14 0.391117a 0.3593216 

15 0.3915202 0-3595571 

16 0.3917561 0.3594040 



Step two: Calculate the value c{L,K) using the 
formula : 

a(fc # K)~V(d(fc)^tti) *2*/V) 
ps The third sxpreeeion of c(i^K) is valid for L>16 

and K>30*2*. It is given by the following formula: 
01 ctt, K) Wtt-S/lP+a/IX 3 * (4*log<2> ~l) *2 3 7K) 

r: The present invention also relates , as stated at 

III the- beginning of the description, page 1, to an 

j £ io electronic device which is not depicted by a figure or 
p diagram* This electronic; device is a device for the 

automatic verification of the physical integrity of a 
y e elf -checking integrated cirauit checking the integrity 

^ of its random generator from the three variants of the 

15 method of the invention, also described above, or more 
explicitly from the three distinct expressions of the 
function c (L y , ip order to ensure that the said 
generator ip functioning correctly in general 1 and does 
not exhibit any drift following changes in external 
20 parameters of malevolent origin, such as an alteration 
by induced radiation, in particular. 

Preferentially, the electronic device carrying out 
the test is a portable device, and more particularly 
consists f for exarrgple, of a chip card, a contactless 
25 card, a PCMCIA card, a badge or an intelligent watch- 
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Finally, the electronic device of the invention 
7 can be an external device conai sting of a machine or 

installation designed to test the correct functioning 
of random generators incorporated in the said portable 
5 devices. This external device allows an exchange of 
information with the portable device so as' ,to check 
that the random generator is functioning correctly. 
The external device interacts with the portable device 
in order to chec]c the integrity of its random 
10 generator- 
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CIAJMS 

1, & method for te3ting sources of random 
numbers , comprising the following steps: 

Step one: Generation of a sequence of (Q+K) *h 
bits by the random source, Q, K and L being input 
parameters r the bits ; in the sequence being grouped in 
blocks of L bits, forming a sequence of integers 
between 0 and 2 L -X of length Q+K, the length being 
stored in the table block [n] , where n is between 1 and 
Q+K* 

Step two? Calculating the test parameter, denoted 
fTU; thl£ second step comprising the following stepa, 
ref erred to asa pubsteps 2.1 to 2 . 5 : 

2.1 Creation and initialisation of a table tab[i] 
of size 2*; 

2.2 For n varying from 1 to Q, making the 
calculation: tab [block [nj ] =n; 

2.3 Initialising the number Sum to o? 

3.4 For n varying from Q-f-l to Q+K, performing the 
calculation in two operations: 

Add log (aa-tab [block [n]] to Sum? 

Make the calculation; tab [block [n] ] ~n; 

2.5 The parameter fTU of the test is given by: 
fTU- (Sum/K) /Log UK- 
Step three; Calculation of the variance per test 

parameter block/ denoted Var, from the following 
expression; 

Var = (i_^*2 log 2fl>»-i - ( {1 - z) * £ log 2(i) * an-*)* 
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with lcg2 (a)«log(z) /log (2) and 

Step four: Calculation of the function c(L,K); 

Step fives Calculation of the standard deviation 
of the test parameter, denoted cr; o^c (L.K) *V(Var/K) ; 

!; Step six: Calculation of the parameter y; y is 
deterrni&ed from the reject ion rate of the test fixed as 
an input , denoted p- *Y must satisfy the equation: 

N is the normal density function; 

Step seven: Calculation of the ideal mean value 
of the test, denoted E [fTU] , given by the following 
formula: 

B[f Tq m (1 - 2) * ^ lo 9 * 

With log2(z) c =log(z)/log(2) and 2=1-2^ 

Step eights Calculation of the bounds tl and t2 < 
They are given by the equation; tl-B [fTU] -y*cr and 
t2=B[fTU] types'; 

Step n,ine; Result of the test: the random number 
generator being accepted if the test parameter fTU is 
between tl and t2, and rejected in the contrary case, 

the eaid method being characterised in that step 
four consists of a calculation of the function c(L / K) 
which is valid whatever the parameters L and K. 

2, A method for testing sources of random numbers 
according to Claim l f characterised in that step four 
consists off a calculation of the function c(L,K) which 
ia valid in the case where the value of L is between 3 
and 15 and the value of K is greater than 3 0*2^. 
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3 , A method for testing sources of random numbers 
according to Clairn 1, characterised in that step four 
consists of a calculation of the function c(L,K) which 
i@ valid for a value of h>XS and a value of K>30*2 11 . 

4, A method according to Claim 1, characterised 
in that the calculation of the function c(L,K) contains 
nine steps t 

X . * Calculation of: u=l-2~ L and v=l-l/ (2*-l) ; 
u and v being real numbers.; 

2, Creation of two tables tabl and tab2 of size 

SQ*2 L ; 

3.1 Execute z-u, eum-O, 2X-1; 

3.2 For i ranging from 1 to 30*2 L 7 repeating the 
two operations which are; add log2(i)*zl to aum, in 
which Jog2 designates the logarithm to base 2, and 

calculate ; sl=zl*s; 

3.3 Execute tabl [0] «{l-z) ^aum; 

3.4 For i ranging from 1 to 60*2 L , 
Execute tabl [i] = (tabl [±-l] - (l-ss) *log2 (i) ) /z ; 

3.5 Repeat' steps 3,1, 3.2, 3*3, 3,4, replacing u 
with v ct&d tabl with tab2; 

4, Calculation of the variance per block denoted 

4.1 Execute sum-O and x=l; 

4.2 For i varying from 1 to 30*2*, execute the 
following two operations; 

Add log2(i) a *x to sum and 
Bxecute x^x*^; 

4.3 Make Var=sum/2^tabl[0] 2 ? 

5, Calculation of P(K) 
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5.1 Ma}ce sunMJ and x«l; 

™ i co 3 0*2*2 carry out the 

5.2 For i varying from l to so . 

following three operation = _ 
Capiat, yj y=uH(t^2U + K-l]-tablt 1+K n (t*2l01 

vi *t^ 2 [il ) + u*tafcX [01 * (t*X [i^-H -tab2 [i +K -l3 ) . 

Add y*x to sum, 
Execute x=x*u; * 

5.3 execute p (K) *sum; 

S Calculation of P (D ' 

Same matbod a 3 at step 5, replacing K with 1, 
7. Calculation of Q<K) : 

7.1 Mate suro2=0 and x=l, 

7.2 For i varying from 1 to 30*2~L: 
Add i*log2(i)*u (i - al to sum2; 

•' Execute the following three operations 

Calculate y=u 2 * (t«M - , . _ , i+K 

tBbiCi+K3)*((i+W* tabaC03 " v taMl 1 
1) *taW [0] * (taWL [i+S-U - taM ) < 

£43 y*x to £Uttw 

Execute 3C=x*u; 

7,3 Execute Q (X) * sum 

S calculation of QUI 

Same method as »t step 7, replacing K with 1 

9 P calculation of c(L,K) 

c a,, K )^(l-2/var*(P!l)-PW-(Q(i)-5W)/ K ) 

5 R ^thcd according to Claim 2, charactered 
io that the potion CO..B stains two steps. 

Step one: Reading of the value* of .(« and dUO . 
. a=d d oeiug real values, listed iu the follow 
table, for Ii between 3 and IS: 
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L 
3 
4 
5 
€ 
7 

10 
11 
12 
12 
14 
15 
16 



d(L) 
0.2732725 
0,3045101 
0.3296587 
0.34897S9 
0-,36318lS 
Q.37321S9 
0.3800637 
0.3845B67 
0.3874942 
0.3893189 
Q .3904405 
0.3911178 
0 .3915202 
0.3917S61 



e(L) 
0 ,4890883 
0.4435381 
0.4137196 
0.3941338 
0,3813210 
0. 3730195 
0.3677118 
0.3643695 
0,3622979 
0.3610336 
0.3602731 
0 .3598216 
0.3595571 
0.3594040 



Calculate the value e(L,K) using the 



Step two: 

formula: 

o(L,K)^(d(i)+e(L)*2V20 

6. A method according to Claim 3, characterised 
in tJ»t the calculation of the functions c(L,K) is 
effected by mean* oi the following formula: 

c a., w -V u^/n 3 +2/n 3 * (4*io g (2) -u *s7k) 

7. An electronic device for the pelf -checking of 
the physical integrity of a self -checking integrated 
circuit and checking the integrity of its random 
generator, in order to ensure that the latter is 
functioning correctly in general and does not exhibit 
any drift following changes in external paraioaters of 



malevolent origin such as an alteration by induced 
radiation, in particular, according to any one of 
claims a to 3 . 

8, An electronic device according to Claim 7, 
characterised in that the device performing the test is 
a portable device. 

9- An electronic device according td Claim a, 
characterised in that the device is a chip card, a 
contact I ees card, a PCMCIA card, a badge or an 
intelligent watch » 

10, An electronic device according to any one of 
Claims I to 6» characterised in that an external device 
performing the tept consists of a machine or 
installation designed to test the correct functioning 
of 'random generators incorporated in the said portable 
devices . 
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